Gareth Heyes Wrote:
-------------------------------------------------------
> oooo sweet much more sexier now :D
>
> btw backtracking a bit did you try the technique
> mentioned earlier with the Object.prototype
> instead of the WebSocket prototype that could work
> for getting message
Yes, I mentioned it above:
Object.defineProperty(window.WebSocket.prototype, 'onm
Forum: Networking

One annoying thing is that if I seem to be unable to set the message.data directly, which is why I am sending a {data:data}-object into the "trueonmessage"-function. Not happy about that..
Forum: Networking

This piece of code is not dependant on jetty, can be tested in the chrome console. I don't know why it does not work, but I am no guru either... :
window.WebSocket.prototype.__defineSetter__('onmessage', function(val) { alert(val); });
x=new WebSocket("ws://localhost:8080/ws/");
x.onmessage=function(){alert(2);}
Forum: Networking

I have been experimenting a bit with websockets, mostly to intercept and tamper with websocket traffic. In order to do so, I am using Jetty and the default chat-application which is bundled in the release ( > 7.0). I use google chrome as a browser.
Anyway, I am testing approaches to, on the client side, tamper with data
a) before it is sent to the server and
b) when it is received, befo
Forum: Networking

A while ago I wrote a blawgpost about a new NSE-script I wrote an even longer while ago, which can be used to dump out the contents of an RMI registry found during nmap scan:
http://www.swende.se/index.php/2010/12/dumping-the-rmi-registry-with-nmap/
Forum: News and Links

This thread contains postings from no less than three guys who will be presenting on the Appsec Conference in Stockholm! Cool! (sirdarckat, thornmaker and jonas)
@Jonas : I read the paper by Phung/Sands/Chudrov about "Lightweight Self-protecting javascript" last summer and thought that you guys would probably find some of these sla.ckers-threads pretty fun...
Forum: Obfuscation

@Jonas: I'll be there - I'm in the organizing committee (my real name is Martin Holst Swende). However, there's a big IF : the ETA of our daugther #2 is June 29th, so if she's a week early I will miss the whole show...
Anyway: currently I am fixing for the dinner party, which will be held at city hall (Yeahp! Same place where the nobel prize dinner is held! (but a smaller room: The Golden Hall)
Forum: Obfuscation

@sirdarckat : very good question. When that particular challenge-item was written, nobody really considered the domain aspects of xhr. Therefore, we are now changing that rule to better suit the overall objective of getting a polyglot that is less context-depending.
To all: Our sincere apologies for having fuzzy rules and also changing the rules in the middle of the race! Hope you bear with us
Forum: OMG Ponies

Regarding time-issue, after some input from John, we decided that the solution should not be tied to any particular server (since it should be able to be used in any context as a showcase). So, the javascript should get the time from the client machine and calculate stockholm time from that (best-effort).
Sorry about all the confusion about the rules!
Forum: OMG Ponies

> can you clarify whether xhr is allowed to fulfill the quine requirement?
Yes, xhr is allowed!
>For the time in Sweden part, which is preferred: hard-coding a server into the GIF so the image itself is more portable... or... not hard-coding any domain so that the image assumes the present server will have the time in some manner? The second option seems less reliable since hosting se
Forum: OMG Ponies

Sorry we haven't answered the questions earlier, I have some problems connecting to *.ckers.org from home (for some reason, I need to tunnel somewhere else and connect from there - perhaps my isp is blocking it) .
1. Should the JS execute in multiple browsers?
FF is the target. We will only validate that it works on FF, but bonus points if the solution is poly-browser.
2. Is it okay for th
Forum: OMG Ponies

@SW : Yes, we are talking about byte size : one restriction is to *not* bloat the file. And, the logical size of the gif image must be preserved. Nice first shot! I see alerts showing time- but the filename indicates quines also. Is that implemented?
Forum: OMG Ponies

I ususally check out the rss feed-page to see what is new, and browse through it all to see what is interesting. So far so good. But couldn't you guys put together a page with similar functionality of displaying everything recent that also :
- Shows the names of the authors
- Marks the entries as read
- Can be navigated to see even older messages than just the last X messages
Forum: Bugs

We planned to announce the winner and release the solution after the holidays, but since it is out in the open anyway now; Yes, we have a winner: Andreas Fobian, who also graciously wrote the walkthrough mentioned above.
Congratulations! I am impressed by how quick it was solved!
Forum: OMG Ponies

New challenge posted. From the OWASP wiki (http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden ) :
---
Merry Christmas everyone!
It's the 21st and a new AppSec Research Challenge is posted.
Setting up the AppSec Research 2010 X-mas Challenge was a cooperative effort by the winner of AppSec Research Challenge 3, Mario Heiderich, and Martin Holst Swende. It is a multi
Forum: OMG Ponies

The winner is posted, congratulations sdc!
John/Manjit official post below :
---
The winner of the AppSec Research 2010 October Challenge is (... drumroll ...) FireworksIsNotABrowser_v4 (although we like the slightly oversized v6 better)! Runner-up is TommyM_3D_Wave_v1.1. Thanks for all the hard work, guys! Can "sirdarckcat" please email me?
OC votes for FireworksIsNotABrowser_v4:
Forum: OMG Ponies

Wow, there are some really cool submissions here. I knew that some pretty amazing stuff could theoretically be done but it is really fun to actually see it pursued.
There should be a demo-scene for this stuff like there was back in the day of 64K-demos and no graphics cards...
Forum: OMG Ponies

October 21st is here and with it a new OWASP AppSec Research 2010 challenge.
The winner gets free entrance to next year's AppSec conference in Stockholm.
Last month we had "Who's Who in Security?" so it's time for a more technical
task. JavaScript can be obfuscated as seen in Challenge 3 but you can also
get really creative with the language. *This month's challenge is about
writi
Forum: OMG Ponies

I am testing a server running php, but the php files are encrypted with zend. PHP uses the Zend autoloader to decrypt them at runtime. Can I decrypt them and view the source? I have full access to the machine.
Forum: SQL and Code Injection